Internationalized Domain Name Vulnerability in Apostrophe Technologies' Sanitizer
CVE-2021-26539

5.3MEDIUM

Key Information:

Vendor

Apostrophecms

Status
Sanitize-html
Vendor
CVE Published:
8 February 2021

What is CVE-2021-26539?

Apostrophe Technologies' sanitize-html prior to version 2.3.1 fails to effectively process internationalized domain names (IDN). This oversight permits attackers to circumvent the hostname whitelist validation enforced by the 'allowedIframeHostnames' option. As a result, malicious actors could exploit this vulnerability to inject unverified content, posing significant security risks to applications utilizing this sanitizer.

References

https://github.com/apostrophecms/sanitize-html/blob/main/...
x_refsource_MISC
https://github.com/apostrophecms/sanitize-html/pull/458
x_refsource_MISC
https://advisory.checkmarx.net/advisory/CX-2021-4308
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.